pronto185.com

Found something somewhat interesting via my ssh-ranking project
for the IP 218.28.116.247 (info page | mirror )
So when I notice the attacker has some http server going, I like to take a screenshot of said server.
this IP got:So I downloaded those files, and ran file on them:

So yay, looks like I found some server that’s set up to host stuff for botnets:
Lets start with that C source code: (view it here)

The comment on the c code is: /*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
the first part is in Slovak: (google translate)
* Doval of Knajpa and stare from Wojtas again has nothing to do, kura.
* Gizdi, mate cosyk Here you will find the edge, while a Flow and blabbed.
* Anyway this is old as well as CYP jakesyk crack.

So it’s a rather old linux exploit. So this is most likely post-exploitation stuff (eg attacker already has user-level shell on a out of date linux box and will use this to get root)

lets take a look at the executables. I’m going to use my awesome reverse engineering skills here (aka, lets run strings on it)

autossh is nice little program that will auto restart ssh connections when they drop
This is extremely useful if you use ssh-tunnels a lot.

autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C.

Connection monitoring using a loop of port forwardings or a remote echo service.

Backs off on rate of connection attempts when experiencing rapid failures such as connection refused.

I have my raspberrypi at home using autossh to do a remote port foward of ssh to my server.

To set this up I created an account on my server I just for tunneling.
User called tunnel with the shell set to /bin/false
On the rpi I generated ssh-keys (with no password)

Toss the public key into the tunnel account of the remote servers ~/.ssh/authorized_keys

now test it with out auto ssh:

root@rpi:~# ssh -N -R 3333:localhost:22 tunnel@server
the -N is for no shell; the -R is forwarding the rpi’s ssh’d to your remote server on port 3333
now from the server you can do ssh user@localhost -p 3333 and login :D

Now for autossh!
i use autossh in cron; not _sure_ if that’s how its meant to be used… but it works very nicely
as roots , crontab -e
*/1 * * * * autossh -M 20001 -R 3333:localhost:22 -N tunnel@server
this will check the tunnel every minute, and if its not up it will bring it up

On linux boxes theres a file called /var/log/auth.log where all login attempts to the system are logged, and other things.
If you’ve ever run a linux box on the web with port 22 open you’ll know that it gets hit, and hit hard (especially so if your IP is in a well known ‘server range’ eg:linode.com)
Now most sane people will either just use fail2ban(or something similar) or change the ssh port.
But craycray people like myself like it when auth.log* gets filled up with these attempts for a fun dataset!

About the project:

This project mainly started as something to do using python, sql-alchemy, flask/jinja2 and other things.
What it does is parse though auth.log getting very failed login attempt and tosses it into a database.
then the web-part will query the DB and display interesting things, e.g: http://vps2.pronto185.com/ssh_rank/user/r00t which IP’s have tried the user name ‘r00t’
Remember this project is still in the early phases, and could be unstable. I wouldn’t run this on production boxes. If you want to see data from production boxes, I recommend moving the auth.logs off to some test-server and telling the sshrank.py to parse those

Whats next?:

Going to start doing more digging into the top offenders. Doing port scans, keeping an rdns history for changes, grab the whois data to compare with other offenders.
Also thinking about logging the passwords for failed attempts, Eric Gragsone had an interesting idea on how to do that with pam

‘This is neat, i want this’ and ‘how can i help?’

Get it running?

The readme on github should help you get started. note: it was tested on debain7.2 so if you use something else, you might have to do things different
i have gotten it working on python 2.7 and 2.6.6

How I help?

All the code is on github, feel free to fork/etc… and if I like your changes, I’ll merge it into the main one.
If you don’t know how to use github, I high recommend learning how to use it you can find a lot of links here to figure it out :)

Talk to ….me?!

Best way is via: irc(pronto on: efnet,freenode,snoonet,and other nets…) email: pronto185@gmail.com, or google chat/hangouts